Hybrid intelligent approach for network intrusion detection

In recent years, computer networks are broadly used, and they have become very complicated. A lot of sensitive information passes through various kinds of computer devices, ranging from minicomputers to servers and mobile devices. These occurring changes have led to draw the conclusion that the number of attacks on important information over the network systems is increasing with every year. Intrusion is the main threat to the network. It is defined as a series of activities aimed for exposing the security of network systems in terms of confidentiality, integrity and availability, as a result; intrusion detection is extremely important as a part of the defense. Hence, there must be substantial improvement in network intrusion detection techniques and systems. Due to the prevailing limitations of finding novel attacks, high false detection, and accuracy in previous intrusion detection approaches, this study has proposed a hybrid intelligent approach for network intrusion detection based on k-means clustering algorithm and support vector machine classification algorithm. The aim of this study is to reduce the rate of false alarm and also to improve the detection rate, comparing with the existing intrusion detection approaches. In the present study, NSL-KDD intrusion dataset has been used for training and testing the proposed approach. In order to improve classification performance, some steps have been taken beforehand. The first one is about unifying the types and filtering the dataset by data transformation. Then, a features selection algorithm is applied to remove irrelevant and noisy features for the purpose of intrusion. Feature selection has decreased the features from 41 to 21 features for intrusion detection and later normalization method is employed to perform and reduce the differences among the data. Clustering is the last step of processing before classification has been performed, using k-means algorithm. Under the purpose of classification, support vector machine have been used. After training and testing the proposed hybrid intelligent approach, the results of performance evaluation have shown that the proposed network intrusion detection has achieved high accuracy and low false detection rate. The accuracy is 96.025 percent and the false alarm is 3.715 percent

CHID : conditional hybrid intrusion detection system for reducing false positives and resource consumption on malicous datasets

Inspecting packets to detect intrusions faces challenges when coping with a high volume of network traffic. Packet-based detection processes every payload on the wire, which degrades the performance of network intrusion detection system (NIDS). This issue requires an introduction of a flow-based NIDS that reduces the amount of data to be processed by examining aggregated information of related packets. However, flow-based detection still suffers from the generation of the false positive alerts due to incomplete data input. This study proposed a Conditional Hybrid Intrusion Detection (CHID) by combining the flow-based with packet-based detection. In addition, it is also aimed to improve the resource consumption of the packet-based detection approach. CHID applied attribute wrapper features evaluation algorithms that marked malicious flows for further analysis by the packet-based detection. Input Framework approach was employed for triggering packet flows between the packetbased and flow-based detections. A controlled testbed experiment was conducted to evaluate the performance of detection mechanism’s CHID using datasets obtained from on different traffic rates. The result of the evaluation showed that CHID gains a significant performance improvement in terms of resource consumption and packet drop rate, compared to the default packet-based detection implementation. At a 200 Mbps, CHID in IRC-bot scenario, can reduce 50.6% of memory usage and decreases 18.1% of the CPU utilization without packets drop. CHID approach can mitigate the false positive rate of flow-based detection and reduce the resource consumption of packet-based detection while preserving detection accuracy. CHID approach can be considered as generic system to be applied for monitoring of intrusion detection systems

Developing an empirical study of how qualified subjects might be selected for IT system security penetration testing

This paper describes a planned program of investigation designed to determine what characteristics are signficant in predicting performance of students used as subjects in IT system penetration testing testbeds. In large part the experimental design replicates an earlier study by Jonsson et al., and extends that study to include factors describing the attacking subjects. In this way the proposed study is expected to be able to verify and further their work by collecting data on a larger population of subjects. Among others we expect to verify their hypothesis that to the stationary nature of the breaking-in process and the intrusion process during the standard attack phase is characterized by exponential distribution. Finally, the proposed study will be also usable for the purpose of evaluation of intrusion detection systems

Performance Evaluation of Classification Techniques for Intrusion Detection in Noisy Datasets

Data mining provides a useful environment and set of tools for processing large datasets such as Intrusion Detection Systems` (IDS) logs. Researchers improve existing IDS models by comparing the performance of various algorithms on these datasets. It is very important to keep in mind that an IDS often has to work in a noisy network environment. Network noise is one of the most challenging issues for efficient threat detection and classification. In this study, normal and noisy datasets for network IDS domain are used and various classification algorithms are evaluated. The results show that an evaluation of algorithms without noise is misleading for IDSs since algorithms that perform best without noise do not necessarily achieve the same in a realistic noisy environment. Moreover refined NSL KDD dataset allows a more realistic evaluation of various algorithms than the original KDD 99 dataset

Incident Prioritisation for Intrusion Response Systems

The landscape of security threats continues to evolve, with attacks becoming more serious and the number of vulnerabilities rising. To manage these threats, many security studies have been undertaken in recent years, mainly focusing on improving detection, prevention and response efficiency. Although there are security tools such as antivirus software and firewalls available to counter them, Intrusion Detection Systems and similar tools such as Intrusion Prevention Systems are still one of the most popular approaches. There are hundreds of published works related to intrusion detection that aim to increase the efficiency and reliability of detection, prevention and response systems. Whilst intrusion detection system technologies have advanced, there are still areas available to explore, particularly with respect to the process of selecting appropriate responses. Supporting a variety of response options, such as proactive, reactive and passive responses, enables security analysts to select the most appropriate response in different contexts. In view of that, a methodical approach that identifies important incidents as opposed to trivial ones is first needed. However, with thousands of incidents identified every day, relying upon manual processes to identify their importance and urgency is complicated, difficult, error-prone and time-consuming, and so prioritising them automatically would help security analysts to focus only on the most critical ones. The existing approaches to incident prioritisation provide various ways to prioritise incidents, but less attention has been given to adopting them into an automated response system. Although some studies have realised the advantages of prioritisation, they released no further studies showing they had continued to investigate the effectiveness of the process. This study concerns enhancing the incident prioritisation scheme to identify critical incidents based upon their criticality and urgency, in order to facilitate an autonomous mode for the response selection process in Intrusion Response Systems. To achieve this aim, this study proposed a novel framework which combines models and strategies identified from the comprehensive literature review. A model to estimate the level of risks of incidents is established, named the Risk Index Model (RIM). With different levels of risk, the Response Strategy Model (RSM) dynamically maps incidents into different types of response, with serious incidents being mapped to active responses in order to minimise their impact, while incidents with less impact have passive responses. The combination of these models provides a seamless way to map incidents automatically; however, it needs to be evaluated in terms of its effectiveness and performances. To demonstrate the results, an evaluation study with four stages was undertaken; these stages were a feasibility study of the RIM, comparison studies with industrial standards such as Common Vulnerabilities Scoring System (CVSS) and Snort, an examination of the effect of different strategies in the rating and ranking process, and a test of the effectiveness and performance of the Response Strategy Model (RSM). With promising results being gathered, a proof-of-concept study was conducted to demonstrate the framework using a live traffic network simulation with online assessment mode via the Security Incident Prioritisation Module (SIPM); this study was used to investigate its effectiveness and practicality. Through the results gathered, this study has demonstrated that the prioritisation process can feasibly be used to facilitate the response selection process in Intrusion Response Systems. The main contribution of this study is to have proposed, designed, evaluated and simulated a framework to support the incident prioritisation process for Intrusion Response Systems.Ministry of Higher Education in Malaysia and University of Malay

A Prey-Predator Defence Mechanism For Ad Hoc On-Demand Distance Vector Routing Protocol

This study proposes a nature-based system survivability model. The model was simulated, and its performance was evaluated for the mobile ad hoc wireless networks. The survivability model was used to enable mobile wireless distributed systems to keep on delivering packets during their stated missions in a timely manner in the presence of attacks. A prey-predator communal defence algorithm was developed and fused with the Ad hoc On-demand Distance Vector (AODV) protocol. The mathematical equations for the proposed model were formulated using the Lotka-Volterra theory of ecology. The model deployed a security mechanism for intrusion detection in three vulnerable sections of the AODV protocol. The model simulation was performed using MATLAB for the mathematical model evaluation and using OMNET++ for protocol performance testing. The MATLAB simulation results, which used empirical and field data, have established that the adapted Lotka-Volterra-based equations adequately represent network defense using the communal algorithm. Using the number of active nodes as a measure of throughput after attack (with a maximum throughput of 250 units), the proposed model had a throughput of 230 units while under attack and the intrusion was nullified within 2 seconds. The OMNET++ results for protocol simulation that use throughput, delivery ratio, network delay, and load as performance metrics with the OMNET++ embedded datasets showed good performance of the model, which was better than the existing conventional survivability systems. The comparison of the proposed model with the existing model is also presented. The study concludes that the proposed communal defence model was effective in protecting the entire routing layer (layer 2) of the AODV protocol when exposed to diverse forms of intrusion attacks

Efficient intrusion detection scheme based on SVM

The network intrusion detection problem is the focus of current academic research. In this paper, we propose to use Support Vector Machine (SVM) model to identify and detect the network intrusion problem, and simultaneously introduce a new optimization search method, referred to as Improved Harmony Search (IHS) algorithm, to determine the parameters of the SVM model for better classification accuracy. Taking the general mechanism network system of a growing city in China between 2006 and 2012 as the sample, this study divides the mechanism into normal network system and crisis network system according to the harm extent of network intrusion. We consider a crisis network system coupled with two to three normal network systems as paired samples. Experimental results show that SVMs based on IHS have a high prediction accuracy which can perform prediction and classification of network intrusion detection and assist in guarding against network intrusion